Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win32/cryptor Possible explorer.exe issue [RESOLVED]


  • This topic is locked This topic is locked

#1
sandrak

sandrak

    New Member

  • Member
  • Pip
  • 3 posts
Basically, tonight I started receiving alot of errors that said windows had to shut down. It happened every 30 seconds or so. I suspected a virus and downloaded AVG. Found the virus - Win32/cryptor is what AVG displayed. Once the virus was deleted from the AVG vault, I had to restart. Then when the desktop was supposed to come up, it did not. The only thing visible is my background. I searched online and found that I could still access programs by Control Alt delete and did so. It appears as though all of my stuff is there. However after searching for explorer.exe, it was not found. I read another post online that had me browse through the registry using control alt delete, to look in the shell folder i believe, for the file and if it wasnt there, then it should be added. If it was there then it was probably corrupt according to this source.
I did this and it appeared as though the file was there. Has the virus caused an error in a pathway? I know very little about computers, but Here is the Hijack log. Any help would be greatly appreciated. Thank you much in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:01:16 AM, on 11/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PhoneTray] C:\Program Files\Traysoft\PhoneTray\PhoneTray.exe
O4 - HKLM\..\Run: [Ydeso] rundll32.exe "C:\WINDOWS\Bjofuq.dll",e
O4 - HKLM\..\Run: [Bnivazemizufaze] rundll32.exe "C:\WINDOWS\asudocayewiduce.dll",e
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [AO_Reminder] C:\Program Files\AO Reminder\AO_Reminder.exe 1
O4 - HKCU\..\Run: [Freebie Notes] "C:\Program Files\Power Soft\Freebie Notes\FreebieNotes.exe"
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...ploader_v10.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: __c00EE71A - C:\WINDOWS\system32\__c00EE71A.dat (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 6800 bytes

Attached Files


  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Disable resident protections (Antivirus...); you'll re-enable them after the scan

Download Lop S&D < here

Double-click Lop S&D.exe
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)
  • 0

#3
sandrak

sandrak

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Below I have pasted the results of the scan you suggested. I could not figure out how to turn off AVG. It did not seem to interfere with the scan, but I really know nothing about these things. I also am going to list the results of the virus scan and the infections that were removed just before my missing desktop problem started.


6 infections found
6 infected objects removed or healed
5 spyware found
5 spyware removed
306 warnings


Infections were
C:\WINDOWS\system32\A9ins_880808.exe Trojan horse FakeAlert.CJ
The next 4 were located in

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3RWQUADT\ag[1].exe Trojan horse SHeur2.CXM

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\40V5WRXX\ag[1].exe Trojan horse SHeur2.CXM

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\40V5WRXX\load2[1].exe
TrojanhorsePSW.Generic6.AQNP

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CNQZXSFZ\b[1].exe
Trojanhorse Downloader.Generic3.VSL



Just as I was posting this an alert and vault message appeared for the following virus

C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\SAQWC4UT\av_2009[1].exe

Trojan horse Agent.AMHL

I am just about to remove it.



Now spyware was also detected
3 that were this

C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE

1 like this - that had an orange exclamation point beside it
also said that reboot was required to finish this action for it (removal i assume)
C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE(1332)

And finally, this, which i believe might be relevant to my issue

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\DSS

Infect note says :
Found registry key with reference to infected file C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE


Now below is the result of the scan


--------------------\\ Lop S&D 4.2.4-9c XP/Vista

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 2
X86-based PC ( Uniprocessor Free : Intel® Celeron® M processor 1400MHz )
BIOS : Phoenix NoteBIOS 4.0 Release 6.0
USER : Kim ( Administrator )
BOOT : Normal boot
Antivirus : AVG Anti-Virus Free 8.0 (Activated)
C:\ (Local Disk) - NTFS - Total:37 Go (Free:23 Go)
D:\ (CD or DVD)

"C:\Lop SD" ( MAJ : 01-11-2008|16:30 )
Option : [1] ( Sat 11/22/2008|10:25 )

--------------------\\ Listing folders in APPLIC~1

[09/16/2006|06:57] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe
[10/21/2007|03:35] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple
[10/26/2006|10:21] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer
[11/21/2008|06:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> avg8
[01/03/2007|01:15] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> BVRP Software
[09/21/2007|08:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> CanonBJ
[01/09/2008|02:21] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Google
[11/21/2008|07:57] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Google Updater
[03/15/2008|12:17] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft
[07/29/2008|10:46] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> MSScanAppDataDir
[04/06/2008|11:15] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> PopCap
[09/16/2006|06:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> QuickTime
[08/20/2007|12:39] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> River Past G5
[09/30/2008|04:09] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Symantec
[12/12/2006|09:32] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> TEMP
[02/09/2008|11:24] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage

[09/16/2006|09:30] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft

[07/12/2008|04:43] C:\DOCUME~1\Kim\APPLIC~1\<DIR> Adobe
[07/31/2008|01:48] C:\DOCUME~1\Kim\APPLIC~1\<DIR> AdobeUM
[02/26/2008|08:57] C:\DOCUME~1\Kim\APPLIC~1\<DIR> Apple Computer
[11/21/2008|06:53] C:\DOCUME~1\Kim\APPLIC~1\<DIR> AVGTOOLBAR
[02/16/2008|08:41] C:\DOCUME~1\Kim\APPLIC~1\<DIR> Canon
[11/27/2007|08:39] C:\DOCUME~1\Kim\APPLIC~1\<DIR> ClassRoom GradeBook
[10/27/2008|04:29] C:\DOCUME~1\Kim\APPLIC~1\<DIR> Google
[01/17/2007|11:56] C:\DOCUME~1\Kim\APPLIC~1\<DIR> Help
[09/16/2006|05:08] C:\DOCUME~1\Kim\APPLIC~1\<DIR> Identities
[11/04/2006|04:46] C:\DOCUME~1\Kim\APPLIC~1\<DIR> InterVideo
[09/21/2006|12:25] C:\DOCUME~1\Kim\APPLIC~1\<DIR> Macromedia
[07/03/2008|04:44] C:\DOCUME~1\Kim\APPLIC~1\<DIR> Microsoft
[02/20/2008|09:32] C:\DOCUME~1\Kim\APPLIC~1\<DIR> Real
[08/20/2007|12:34] C:\DOCUME~1\Kim\APPLIC~1\<DIR> River Past G5
[06/30/2008|07:57] C:\DOCUME~1\Kim\APPLIC~1\<DIR> Snapfish
[07/26/2007|03:58] C:\DOCUME~1\Kim\APPLIC~1\<DIR> Sonic
[09/16/2006|07:01] C:\DOCUME~1\Kim\APPLIC~1\<DIR> Sun
[09/16/2006|06:55] C:\DOCUME~1\Kim\APPLIC~1\<DIR> Symantec

[11/21/2008|06:32] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft
[11/18/2008|04:48] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> twain_32

[12/03/2007|08:09] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft
[11/18/2008|04:48] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> twain_32

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[09/16/2008 08:37 PM][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[11/21/2008 11:49 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT
[08/04/2004 07:00 AM][-r-h-----] C:\WINDOWS\tasks\desktop.ini
[08/20/2007 12:40 AM][--a------] C:\WINDOWS\tasks\Symantec NetDetect.job

--------------------\\ Listing Folders in C:\Program Files

[01/03/2007|01:16] C:\Program Files\<DIR> ABBYY FineReader 5.0 Sprint
[01/03/2007|01:15] C:\Program Files\<DIR> ABBYY FineReader 6.0
[09/16/2006|06:57] C:\Program Files\<DIR> Adobe
[11/18/2008|05:36] C:\Program Files\<DIR> Antivirus 2009
[10/02/2008|03:05] C:\Program Files\<DIR> AO Reminder
[04/26/2008|12:06] C:\Program Files\<DIR> Apple Software Update
[04/26/2007|11:21] C:\Program Files\<DIR> Applied Vision
[08/20/2007|12:15] C:\Program Files\<DIR> Audacity
[11/21/2008|06:33] C:\Program Files\<DIR> AVG
[09/21/2007|08:49] C:\Program Files\<DIR> Canon
[09/21/2007|08:48] C:\Program Files\<DIR> CanonBJ
[11/27/2007|08:38] C:\Program Files\<DIR> ClassRoom GradeBook
[09/30/2008|04:12] C:\Program Files\<DIR> Common Files
[09/16/2006|05:48] C:\Program Files\<DIR> ComPlus Applications
[09/16/2006|06:25] C:\Program Files\<DIR> CONEXANT
[01/03/2007|01:15] C:\Program Files\<DIR> FaxTools
[10/27/2008|04:28] C:\Program Files\<DIR> Google
[09/16/2006|06:02] C:\Program Files\<DIR> Hewlett-Packard
[09/16/2006|07:00] C:\Program Files\<DIR> HPQ
[01/03/2007|01:15] C:\Program Files\<DIR> InstallShield Installation Information
[09/16/2006|07:03] C:\Program Files\<DIR> Intel
[11/04/2008|07:52] C:\Program Files\<DIR> InterActual
[10/16/2008|03:41] C:\Program Files\<DIR> Internet Explorer
[09/16/2006|06:28] C:\Program Files\<DIR> InterVideo
[04/26/2008|12:17] C:\Program Files\<DIR> iPod
[04/26/2008|12:18] C:\Program Files\<DIR> iTunes
[01/09/2008|02:21] C:\Program Files\<DIR> Java
[09/11/2007|05:02] C:\Program Files\<DIR> Lexmark X1100 Series
[09/16/2006|09:00] C:\Program Files\<DIR> Microsoft ActiveSync
[11/21/2008|06:56] C:\Program Files\<DIR> Microsoft Common
[09/16/2006|09:30] C:\Program Files\<DIR> microsoft frontpage
[09/16/2006|08:59] C:\Program Files\<DIR> Microsoft Office
[09/16/2006|08:58] C:\Program Files\<DIR> Microsoft.NET
[09/16/2006|09:28] C:\Program Files\<DIR> Movie Maker
[12/13/2006|12:36] C:\Program Files\<DIR> MSN Games
[09/16/2006|09:30] C:\Program Files\<DIR> msn gaming zone
[04/26/2007|10:47] C:\Program Files\<DIR> MSXML 4.0
[11/25/2007|10:29] C:\Program Files\<DIR> Netflix
[09/16/2006|09:28] C:\Program Files\<DIR> NetMeeting
[09/16/2006|09:28] C:\Program Files\<DIR> Online Services
[06/13/2007|05:31] C:\Program Files\<DIR> Outlook Express
[11/21/2008|11:56] C:\Program Files\<DIR> Panda Security
[11/22/2008|09:11] C:\Program Files\<DIR> PC Doc Pro
[08/25/2008|08:11] C:\Program Files\<DIR> Power Soft
[12/11/2006|09:16] C:\Program Files\<DIR> Quicken
[04/26/2008|12:15] C:\Program Files\<DIR> QuickTime
[07/13/2007|10:59] C:\Program Files\<DIR> Real
[09/16/2006|07:00] C:\Program Files\<DIR> RecordNow!
[08/20/2007|01:57] C:\Program Files\<DIR> Shuangs WAV to MP3 Converter
[09/16/2006|07:00] C:\Program Files\<DIR> Sonic
[04/26/2007|11:23] C:\Program Files\<DIR> STMicroelectronics
[09/30/2008|04:14] C:\Program Files\<DIR> Symantec
[09/16/2006|06:26] C:\Program Files\<DIR> Synaptics
[05/10/2007|12:49] C:\Program Files\<DIR> TeacherWorks
[04/21/2007|01:04] C:\Program Files\<DIR> The Learning Company
[09/01/2008|02:14] C:\Program Files\<DIR> Traysoft
[11/22/2008|12:58] C:\Program Files\<DIR> Trend Micro
[09/16/2006|05:08] C:\Program Files\<DIR> Uninstall Information
[11/22/2008|09:26] C:\Program Files\<DIR> Windows Live Safety Center
[02/09/2008|11:28] C:\Program Files\<DIR> Windows Media Connect 2
[02/09/2008|11:28] C:\Program Files\<DIR> Windows Media Player
[05/08/2007|07:44] C:\Program Files\<DIR> windows nt
[09/16/2006|09:29] C:\Program Files\<DIR> WindowsUpdate
[09/16/2006|09:30] C:\Program Files\<DIR> xerox

--------------------\\ Listing Folders in C:\Program Files\Common Files

[09/17/2006|07:32] C:\Program Files\Common Files\<DIR> Adobe
[10/21/2007|03:35] C:\Program Files\Common Files\<DIR> Apple
[09/16/2006|09:00] C:\Program Files\Common Files\<DIR> DESIGNER
[09/16/2006|06:54] C:\Program Files\Common Files\<DIR> InstallShield
[09/16/2006|06:59] C:\Program Files\Common Files\<DIR> Intuit
[09/16/2006|07:01] C:\Program Files\Common Files\<DIR> Java
[11/21/2008|06:33] C:\Program Files\Common Files\<DIR> Microsoft Shared
[09/16/2006|09:28] C:\Program Files\Common Files\<DIR> MSSoap
[09/16/2006|09:21] C:\Program Files\Common Files\<DIR> ODBC
[09/16/2006|06:59] C:\Program Files\Common Files\<DIR> Palo Alto Software
[07/13/2007|11:00] C:\Program Files\Common Files\<DIR> Real
[09/16/2006|09:28] C:\Program Files\Common Files\<DIR> Services
[09/16/2006|07:00] C:\Program Files\Common Files\<DIR> Sonic
[09/16/2006|09:21] C:\Program Files\Common Files\<DIR> SpeechEngines
[09/16/2006|07:00] C:\Program Files\Common Files\<DIR> SureThing Shared
[09/30/2008|04:14] C:\Program Files\Common Files\<DIR> Symantec Shared
[06/13/2007|05:31] C:\Program Files\Common Files\<DIR> System
[07/13/2007|11:00] C:\Program Files\Common Files\<DIR> xing shared

--------------------\\ Process

( 32 Processes )

IEXPLORE.EXE ~ [PID:1392]
IEXPLORE.EXE ~ [PID:4080]

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~1\Kim\Cookies\[email protected][2].txt
C:\DOCUME~1\Kim\Cookies\[email protected][1].txt

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-22 10:26:49
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections

--------------------\\ ROGUES ..

C:\PROGRA~1\Antivirus 2009



[F:11880][D:47]-> C:\DOCUME~1\Kim\LOCALS~1\Temp
[F:246][D:0]-> C:\DOCUME~1\Kim\Cookies
[F:15398][D:165]-> C:\DOCUME~1\Kim\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Sat 11/22/2008|10:38 - Option : [1]

--------------------\\ Scan completed at 10:38:57




NOTE: After the above Lop scan, I used the online windows live one care tool and 5 things were detected

The 3 that it listed specifically are

Trojan:Win/32/AgentBypass.gen!
Trojan:Win32/Vundo.gen!V
TrojanSpy:Win32/zbot.gen!C

I then ran another scan with AVG with no results. I guess AVG doesnt pick these up? or possibly the Windows Live one care could have been mistaken?

Edited by sandrak, 22 November 2008 - 11:46 AM.

  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download the OTMoveIt3 by OldTimer or from here.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Processes
    explorer.exe
    
    :Services
    
    :Reg
    
    :Files
    C:\PROGRA~1\Antivirus 2009
    C:\WINDOWS\system32\A9ins_880808.exe
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.




  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

  • 0

#5
sandrak

sandrak

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I just wanted to thank you for your help. After a while, I ran sfc/scannow and i guess the exlorer.exe was replaced. I was able to run explorer and my desktop appeared. The errors that said windows had to shut down continued, so i decided to save all my files and then restore the whole system.

I am grateful for your help.

Thanks!
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP